ConnectWise ScreenConnect, a remote desktop management tool, is facing an active cyberattack following the discovery of a critical security vulnerability in the platform. This news has raised alarms among researchers, who are warning that the situation could lead to a widespread compromise event.
ScreenConnect is often used by tech support and other professionals to authenticate to a machine as if they were the user, providing a pathway for threat actors to infiltrate high-value endpoints and other areas of corporate networks.
ConnectWise released an advisory on Monday, disclosing an authentication bypass with a maximum score of 10 out of 10 on the CVSS vulnerability severity scale. This vulnerability allows attackers to create their own administrative user on the ScreenConnect server, giving them full control over the server. In addition, it opens the door to a second bug, a path-traversal issue (CVSS 8.4), which allows unauthorized file access.
ConnectWise updated its advisory on Tuesday to confirm active exploitation of the vulnerabilities. According to the company, they have received reports of compromised accounts and have been able to investigate and confirm the incidents. Additionally, a list of indicators of compromise (IoCs) has been provided to assist in identifying signs of exploitation.
Piotr Kijewski, CEO at the Shadowserver Foundation, reported initial exploitation requests in the nonprofit organization’s honeypot sensors. He emphasized the importance of checking for signs of compromise and patching vulnerable systems.
The vulnerabilities impact ScreenConnect versions 23.9.7 and earlier, specifically affecting self-hosted or on-premises installations. Cloud customers hosting ScreenConnect servers on the “screenconnect.com” or “hostedrmm.com” domains are not affected.
While exploitation attempts are currently low-volume, experts warn of the potential for significant security implications. Mike Walters, president and co-founder of Action1, expects that thousands of instances could be compromised in the future. He also raised concerns about the possibility of a widespread supply chain attack, similar to the Kaseya vulnerability exploitation in 2021.
Both Huntress researchers and the Horizon3 attack team have publicly released proof-of-concept exploits for the vulnerabilities, heightening the urgency for users to protect themselves. ConnectWise SmartScreen administrators are advised to upgrade to version 23.9.8 immediately to patch their systems and use the provided IoCs to search for signs of exploitation.
In light of the situation, businesses and organizations using ConnectWise ScreenConnect are encouraged to take proactive measures to secure their systems and networks against potential cyberattacks. The active exploitation of these vulnerabilities underscores the critical importance of timely patching and monitoring for signs of compromise in order to safeguard sensitive data and IT infrastructure.